[OpenAFS] "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?

Adam Megacz megacz@cs.berkeley.edu
Mon, 13 Feb 2006 19:32:19 -0800

Wow, I just went through a really confusing experience.  Please tell
me if this is a correct understanding:

  1. Exporting a key from the KDC into a keytab using "ktadd" causes
     the principal's "kvno" to be incremented.

  2. /etc/openafs/server/KeyFile contains such a key

  3. The key in the KDC and the KeyFile must match exactly, including
     their kvno.

If I understand correctly, simply exporting the afs principal's key
from the KDC (regardless of where you're exporting *to*) will
instantly break all servers in the cell.

... or, at least that's what appeared to happen to me; I started
getting "ticket version number did not match" (or something very
similar) and couldn't do anything in the cell that required privileges
other than system:anyuser.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380